The Mirai botnet, discovered in 201
The New and Improved Mirai Infects More Devices
On March 18, 2019, security researchers from Palo Alto Networks revealed that Mirai has been optimized and updated to reach the same goal on a larger scale. The researchers found that Mirai used eleven new exports (27 in total), and a new list of standard administrator credentials to try. Some of the changes affect enterprise hardware, including LG Supersign TVs and WePresent WiPG-1000 wireless presentation systems.
Mirai can be even more powerful if it can take on business hardware and leading enterprise networks. Ruchna Nigam, Senior Threat Researcher at Palo Alto Networks, puts it:
These new features give the botnet a large attack surface. Targeting enterprise connections also grants them access to greater bandwidth, ultimately leading to firewall firing power for DDoS attacks.
This variant of Miria still attacks consumer routers, cameras, and other devices connected to the network. The more devices are infected, the better it is for destructive purposes. Ironically, the malicious payload was hosted on a website promoting a company that dealt with "electronic security, integration, and alarm monitoring."
Mirai is a botnet that attacks IOT devices
If you do not remember, in 2016 the Mirai botnet seemed to be everywhere. It aimed at routers, DVR systems, IP cameras and more. These devices are often referred to as the Internet of Things (IoT) and include simple devices such as thermostats that connect to the Internet. Botnets work by infecting groups of computers and other devices connected to the Internet, then forcing these infected computers to attack systems or achieve other goals in a coordinated fashion.
Mirai followed devices with standard administrator credentials, either because they were not changed or because the manufacturer hard-coded them. The botnet has taken over a huge number of devices. Even if most systems were not very powerful, the sheer numbers could work together to accomplish more than a zombie computer alone.
Mirai took over nearly 500,000 devices. With this clustered bot of IoT devices, Mirai has limited services such as Xbox Live and Spotify, as well as sites like BBC and Github, by targeting DNS providers. With so many infected computers, Dyn (a DNS provider) was shut down by a 1.1 terabyte DDOS attack. A DDOS attack causes a target to be flooded with massive Internet traffic, more than the target can handle. As a result, the victim's website or service is crawled or forced out of the Internet.
The original creators of Marai's botnet software were arrested, found guilty, and remanded. Mirai was closed for a while. But enough code survived so that other bad actors could take over and adapt Mirai to their needs. Now there is another variant of Mirai out there.
RELATED TO: What is a Botnet
How to Protect Them from Mirai
Like other botnets, Mirai uses known exploits to attack and compromise devices. It also attempts to use known default credentials to access and apply the device. Your three best protective measures are therefore uncomplicated.
Always update the firmware (and software) of everything you have at home or at work and connected to the Internet. Hacking is a cat and mouse game. Once a researcher discovers a new exploit, patches follow to fix the problem. Botnets like this thrive on non-patched devices, and this version of Mirai does not differ. The exploits targeting business hardware were identified last September and 2017.
RELATED: What is firmware or microcode and how can I update my hardware?
Change the administrator credentials (username and password) of your devices as soon as possible. For routers, you can do this through the web interface or mobile app of your router (if available). For information about other devices that you log in to using their default user name or password, see the device manual.
If you can log in with admin, password, or an empty field, you must change it. Make sure that you change the default credentials when you set up a new device. If you have already set up devices and have not changed the password, do so now. This new version of Mirai targets new combinations of standard usernames and passwords.
If your device manufacturer has stopped publishing new firmware updates or the administrator credentials have been set, you can not change them. Consider replacing the device.
It's best to check if you're on the manufacturer's website. Find the support page for your device and look for firmware update notices. Check when the last one was released. If years have passed since a firmware update, the manufacturer probably no longer supports the device.
For instructions on modifying administration information, see the device manufacturer's support website. If you can not find any firmware updates or a method to change the device password, it's probably time to replace the device.
Replacing your devices may seem dramatic, but if they're vulnerable, this is the best option. Botnets like Mirai do not go away. You need to protect your devices. By protecting your own devices, you protect the rest of the internet.